Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Intermittent internet and other stuff!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Grezza » November 16th, 2006, 7:14 am

Took a while but got there in the end with AVG.



AVG Anti-Spyware-ScanReport
_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_
_
_
_Created at:16:37:34 15/11/2006
_
_
_
_ +Scan result:
_
_
_
_
_
_
_
_C:\Program Files\Common Files\{4875D8BB-0879-1033-0422-04040623002c}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined).

C:\Program Files\Common Files\{4875D8BB-087B-1033-0422-04040623002c}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined).
_
C:\Program Files\VSAdd-in\VSAdd-in.dll -> Adware.Agent : Cleaned with backup (quarantined).

C:\Program Files\PrintView\printhook030.dll -> Adware.PrintView : Cleaned with backup (quarantined).
_
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\iyaohcmv.exe.bad -> Adware.Searchcolor : Cleaned with backup (quarantined).
_
C:\WINDOWS\system32\bsrhtlio.exe -> Adware.Searchcolor : Cleaned with backup (quarantined).
_
C:\Program Files\Common Files\{4875D8BB-0879-1033-0422-04040623002c}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).
_
C:\Program Files\Common Files\{4875D8BB-087A-1033-0422-04040623002c}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\Program Files\Common Files\{4875D8BB-087A-1033-0422-04040623002c}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\Program Files\Common Files\{4875D8BB-087B-1033-0422-04040623002c}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\VundoFix Backups\awtqqpp.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\VundoFix Backups\awtrrpq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\awtrssp.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).

_C:\VundoFix Backups\byxuvut.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\byxvwxv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\byxwwwv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\VundoFix Backups\cbxwuss.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\cbxyaxy.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\ddcawww.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\ddccbbx.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\ddcdbba.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\ddcdebx.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\efcywxw.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
_C:\VundoFix Backups\fcccyvt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\gebcdba.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\gebxvtt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\gebxvwx.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\iifccdb.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\iifgedd.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\iifghgf.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\khfdaxv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
_C:\VundoFix Backups\khffecc.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\khfgggg.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
_C:\VundoFix Backups\ljjgede.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
_C:\VundoFix Backups\ljjkkjk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\mljijgh.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\opnnljk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\pmnkhfe.dll.bad -> Adware.Virtumonde :Cleaned with backup (quarantined).
_
C:\VundoFix Backups\pmnmnkj.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\rqrpooo.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\rqrrrrp.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\ssqpnli.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\ssqqomn.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\ssqqrrq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\tuvtust.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\tuvutqq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\tuvuvsr.dll.bad -> Adware.Virtumonde :Cleaned with backup (quarantined).
_
C:\VundoFix Backups\tuvwuur.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\urqpnkk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\vtutusq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\wvustut.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\wvutstt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\xxyabaa.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\xxyyxvu.dll .bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\yayvwus.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\VundoFix Backups\yayxvvt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\WINDOWS\system32\ssqnmli.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
C:\wacky2.exe/rmsyrup.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
_
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
_
C:\WINDOWS\system32\SpOrder.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
_
C:\fopn.sys -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
_
C:\WINDOWS\alm.exe -> Downloader.Small.duf : Cleaned with backup (quarantined).
_
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DD1TYA9I\alm[1].exe -> Downloader.Small.duf : Cleaned with backup (quarantined).
_
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : Cleaned with backup (quarantined).
_
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt-> TrackingCookie.2o7 : Cleaned.
_
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
_
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
_
:mozilla.330:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
_
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
_
:mozilla.355:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
_
:mozilla.356:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
_
:mozilla.284:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
_
:mozilla.285:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
_
:mozilla.286:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
_
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
_
:mozilla.65:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
_
:mozilla.118:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
_
:mozilla.119:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
_
:mozilla.120:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.

:mozilla.121:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
_
:mozilla.62:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
_
:mozilla.63:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
_
:mozilla.80:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
_
:mozilla.81:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
_
:mozilla.82:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
_
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
_
:mozilla.454:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.455:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
_
:mozilla.456:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
_
:mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
_
:mozilla.54:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6nwli6sj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
_
_
_
_
_
::Report end




Administrator - 06-11-16 9:39:05.98 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\PrintView
C:\Program Files\Common Files\{4875D8BB-0879-1033-0422-04040623002c}
C:\Program Files\Common Files\{4875D8BB-087A-1033-0422-04040623002c}
C:\Program Files\Common Files\{4875D8BB-087B-1033-0422-04040623002c}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\DOBE~1
C:\QooBox\Purity\WINDOWS\DOBE~1\?dobe


((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))


2006-11-15 13:29 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-09 14:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2006-11-09 14:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2006-11-04 21:40 13,714,856 --a------ C:\zlsSetup_65_737_000_en.exe
2006-11-01 19:38 48,128 --a------ C:\mainboard.exe
2006-11-01 17:54 58,952 --a------ C:\WINDOWS\system32\MsgPlusLoader.dll
2006-10-29 13:57 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2006-10-29 13:57 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2006-10-26 18:19 50,048 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-17 13:33 364,000 --ahs---- C:\WINDOWS\system32\vycdd.bak1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-16 09:39 -------- d-a------ C:\Program Files\Common Files
2006-11-15 17:04 -------- d-------- C:\Program Files\Spyware Doctor
2006-11-15 17:03 -------- d-------- C:\Program Files\QuickTime
2006-11-15 17:00 -------- d-------- C:\Program Files\iTunes
2006-11-15 17:00 -------- d-------- C:\Program Files\Internet Explorer
2006-11-15 16:36 -------- d-------- C:\Program Files\VSAdd-in
2006-11-15 13:29 -------- d-------- C:\Program Files\Grisoft
2006-11-13 09:48 -------- d-------- C:\Program Files\Trojan Remover
2006-11-10 18:03 -------- d-------- C:\Documents and Settings\Administrator\Application Data\theFilter
2006-11-10 18:01 -------- d-------- C:\Program Files\TheFilter
2006-11-10 17:53 -------- d-------- C:\Program Files\iPod
2006-11-10 17:50 -------- d-------- C:\Program Files\Apple Software Update
2006-11-09 14:57 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2006-11-05 17:42 139265 --a------ C:\WINDOWS\system32\PhotoBase Screen Saver.scr
2006-11-05 14:20 -------- d-------- C:\Program Files\WinZip
2006-11-04 21:41 -------- d-------- C:\Program Files\Zone Labs
2006-11-01 17:45 -------- d-------- C:\Program Files\MessengerPlus! 3
2006-10-28 15:27 -------- d-------- C:\Program Files\XoftSpySE
2006-10-28 13:48 -------- d-------- C:\Program Files\SiSLan
2006-10-27 17:41 -------- d-------- C:\Program Files\Photodex Presenter
2006-10-27 17:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
2006-10-27 17:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-26 18:11 -------- d-------- C:\Program Files\xp-AntiSpy
2006-10-26 17:46 -------- d-------- C:\Program Files\a-squared Anti-Malware
2006-10-26 08:49 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 08:49 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 08:49 -------- d-------- C:\Program Files\Common Files\Services
2006-10-26 08:49 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-22 19:21 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-22 17:28 -------- d-------- C:\Program Files\Ubi Soft
2006-10-22 17:24 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-16 08:01 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-13 20:47 -------- d-------- C:\Program Files\Messenger
2006-10-13 20:40 -------- d-------- C:\Program Files\Windows Media Player
2006-10-13 20:40 -------- d-------- C:\Program Files\Movie Maker
2006-10-13 20:36 -------- d-------- C:\Program Files\Windows NT
2006-10-13 20:36 -------- d-------- C:\Program Files\NetMeeting
2006-10-11 18:20 383386 --ahs---- C:\WINDOWS\system32\llkkj.ini2
2006-10-11 18:16 383417 --ahs---- C:\WINDOWS\system32\llkkj.bak2
2006-10-11 15:30 143380 --a------ C:\WINDOWS\system32\lcmhamfg.exe
2006-10-10 07:06 143380 --a------ C:\WINDOWS\system32\oyyoxatr.exe
2006-10-09 20:27 373675 --ahs---- C:\WINDOWS\system32\llkkj.bak1
2006-10-07 20:43 -------- d-------- C:\Program Files\Virtools Web Player 3.0
2006-10-07 16:48 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-06 12:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Windows Live Safety Center
2006-10-05 13:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Canon
2006-10-05 09:33 351 --ahs---- C:\WINDOWS\system32\llnmp.ini2
2006-10-04 19:25 0 --a------ C:\Program Files\Common Files\err.log
2006-10-04 19:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Logs
2006-10-01 15:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-01 15:36 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-01 15:36 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-29 15:14 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2006-09-29 11:30 -------- d-------- C:\Program Files\MSN Messenger
2006-09-29 09:02 722 --ahs---- C:\WINDOWS\system32\qqtwa.ini2
2006-09-28 19:09 -------- d-------- C:\Program Files\Lavasoft
2006-09-28 19:09 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-09-22 15:33 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2006-09-22 15:32 -------- d-------- C:\Program Files\Google
2006-09-21 19:24 -------- d-------- C:\Program Files\STOPzilla!
2006-09-21 19:24 -------- d-------- C:\Program Files\Common Files\STOPzilla!
2006-09-21 19:19 -------- d-------- C:\Documents and Settings\Administrator\Application Data\STOPzilla!
2006-09-19 15:44 15664 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2006-09-19 15:43 109360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2006-08-29 18:43 135168 --a------ C:\WINDOWS\system32\swreg.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{3A947772-3B29-41DB-A436-4B5CAAECE2F6}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{4875D8BB-087A-1033-0422-04040623002c}"="\"C:\\Program Files\\Common Files\\{4875D8BB-087A-1033-0422-04040623002c}\\Update.exe\" mc-110-12-0000297"
"{4875D8BB-0879-1033-0422-04040623002c}"="\"C:\\Program Files\\Common Files\\{4875D8BB-0879-1033-0422-04040623002c}\\Update.exe\" te-110-12-0000059"
"{4875D8BB-087B-1033-0422-04040623002c}"="\"C:\\Program Files\\Common Files\\{4875D8BB-087B-1033-0422-04040623002c}\\Update.exe\" te-110-12-0000059"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{4875D8BB-087A-1033-0422-04040623002c}"="\"C:\\Program Files\\Common Files\\{4875D8BB-087A-1033-0422-04040623002c}\\Update.exe\" mc-110-12-0000297"
"{4875D8BB-0879-1033-0422-04040623002c}"="\"C:\\Program Files\\Common Files\\{4875D8BB-0879-1033-0422-04040623002c}\\Update.exe\" te-110-12-0000059"
"{4875D8BB-087B-1033-0422-04040623002c}"="\"C:\\Program Files\\Common Files\\{4875D8BB-087B-1033-0422-04040623002c}\\Update.exe\" te-110-12-0000059"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^iMesh.lnk]
"backup"="C:\\WINDOWS\\pss\\iMesh.lnkStartup"
"location"="Startup"
"item"="iMesh"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"location"="Startup"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"location"="Startup"
"item"="PowerReg Scheduler"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
"backup"="C:\\WINDOWS\\pss\\reminder-ScanSoft Product Registration.lnkStartup"
"location"="Startup"
"item"="reminder-ScanSoft Product Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\MICROS~1\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips ThumbCam Monitor.lnk]
"backup"="C:\\WINDOWS\\pss\\Philips ThumbCam Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\PHILIP~2\\PHILIP~1.EXE "
"item"="Philips ThumbCam Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eastenders Screenmate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SM"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fdm"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LaunchList"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaAccK"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MISAggregator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX5_0001_N53L1025]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UWFX5_0001_N53L1025NetInstaller"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpiStat]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OpiStat"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegSvr32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dragdiag"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDO23]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="s23e-3"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFixer2005]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UWFX5"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: 06-11-16 9:39:48.93
C:\ComboFix.txt ... 06-11-16 09:39


Logfile of HijackThis v1.99.1
Scan saved at 11:13:39, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McRedirector - Unknown owner - (no file)
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm
Advertisement
Register to Remove

Unread postby Trogan » November 16th, 2006, 11:44 am

Hi Grezza! Thank you for your effort - it is appreciated! :)
___________________________

Find and Delete the following in RED, if present:

C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\lcmhamfg.exe
C:\WINDOWS\system32\oyyoxatr.exe
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llnmp.ini2
C:\WINDOWS\system32\qqtwa.ini2
C:\Program Files\VSAdd-in
C:\mainboard.exe

____________________________

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.

Please post the Kaspersky log back here.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 16th, 2006, 3:41 pm

There's an absolute boat load of stuff from the Kaspersky scan, so much so that when I posted it all, the system crashed.
Here's the first part of it, do you need every last drop?
If so I'll try again.
G.

KASPERSKY ONLINE SCANNER REPORT
Thursday, November 16, 2006 6:41:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/11/2006
Kaspersky Anti-Virus database records: 242470
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 84472
Number of viruses found: 14
Number of infected objects: 42 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:32:07
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 16th, 2006, 3:45 pm

If the log is too big to post, you can email it to me. Address is: Trogan_1000 AT hotmail.com (replace AT with @)

The kaspersky log is good way to check whats on the computer, so I would need to see the complete log.

Thanks!
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Trogan » November 16th, 2006, 7:13 pm

Hi Grezza!

Thanks for emailing the Kaspersky log; it looks clean.
_______________

We need to stop a Service...
- Click the Start button then select Run
- Type: services.msc then hit OK
- Scroll down and find the service called.

McRedirector

- Right-click on Service and choose "Properties"
- On the "General" tab under "Service Status" click the "Stop" button to stop the service
- Beside "Startup Type" in the dropdown menu select "Disabled"
- Click Apply then OK.

Please do the same for this service:
McShield

When completed, exit the Services utility
(Note: If the service isn't listed go ahead with the rest of the instructions)

Let's delete the services
- Start HijackThis
- Click the Open the Misc Tools section" button
- Click the "Delete an NT Service" button
- Copy and Paste the bold text below in the "Delete an NT Service" window

McRedirector

- Click "OK"

Do the same for this service:
McShield

- Close HijackThis.
______________________________

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3A947772-3B29-41DB-A436-4B5CAAECE2F6}"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{4875D8BB-087A-1033-0422-04040623002c}"=-
"{4875D8BB-0879-1033-0422-04040623002c}"=-
"{4875D8BB-087B-1033-0422-04040623002c}"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{4875D8BB-087A-1033-0422-04040623002c}"=-
"{4875D8BB-0879-1033-0422-04040623002c}"=-
"{4875D8BB-087B-1033-0422-04040623002c}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX5_0001_N53L1025]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDO23]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegSvr32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFixer2005]


Go to File > Save As
Save the file as "regfix.reg" (including the quotes) to your Desktop.
Close Notepad, and double-click regfix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK

Reboot your computer and let me know how things are.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 17th, 2006, 4:37 am

Hi there.
I did eveything except get rid of McShield.
In services it tells me that "the specified device instance handle does not correspond to a present device" and it wouldn't let me do anything.
But in HiJack This it can't be deleted because HJT says it's still running.

If we get over this small hurdle am I free to surf again or are there some safety features I should be aware of?

Cheers,

Grezza.
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 17th, 2006, 10:58 am

Hi Grezza,

I did eveything except get rid of McShield.
In services it tells me that "the specified device instance handle does not correspond to a present device" and it wouldn't let me do anything.
But in HiJack This it can't be deleted because HJT says it's still running.

Could I see a new HJT log please.

If we get over this small hurdle am I free to surf again or are there some safety features I should be aware of?

Yep, but first I need to give you a an 'all clean' speech as standard procedure. I'll do that after I see the new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 17th, 2006, 11:38 am

I'm nearly getting excited!

Logfile of HijackThis v1.99.1
Scan saved at 15:37:02, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 17th, 2006, 2:55 pm

Grezza, please do the following...

Go to Start > Run > type: cmd > click OK. A command prompt will open.

Type the following into the box:

net stop McShield --> Press Enter
sc stop McShield --> Press Enter
sc delete McShield --> Press Enter
Exit --> Press Enter and the Command Prompt should close

Reboot your computer and post a new HijackThis log.

Incase this has not worked, I need to know what version of McAfee this is please.

Thanks! :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 17th, 2006, 3:07 pm

I did that, and after the 1st command it said "The McShield service is not started".
The following 2 came back with "Access is denied"

McAfee was part of Internet Security Suite 6 or 7. I don't know which, cos that's when my problems started!

Logfile of HijackThis v1.99.1
Scan saved at 19:02:45, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 17th, 2006, 3:20 pm

Hi Grezza! Lets try something different.

Go to Start > Run > type: regedit

Note: once the Registry Editor is open, please do not delete or modify anything.

Go to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield

Select the key by clicking on it.

Right click and select Permissions. Highlight Administrator and tell me which checkboxes have a checkmark in them or post a screenshot if you find that easier.

Thanks! :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 17th, 2006, 3:30 pm

Screenshot?!!
I wouldn't know where to start!!

Full Control and Read are ticked under the Allow heading.
Special Permission is not ticked.

G.
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 17th, 2006, 5:40 pm

Hi Grezza!

Please Download and run the McAfee Removal tool from the link below. Instructions are provided.

http://ts.mcafeehelp.com/displaydoc.asp ... yId=107187

Post a new HijackThis log afterwards.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Grezza » November 17th, 2006, 5:48 pm

I think it's gone!!

Logfile of HijackThis v1.99.1
Scan saved at 21:46:40, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HJT.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kristi123.spaces.live.com//Photo ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... ase969.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grezza
Regular Member
 
Posts: 82
Joined: November 3rd, 2006, 4:19 pm

Unread postby Trogan » November 17th, 2006, 6:22 pm

Yep, it's gone! :occasion5:

Let me know how things are, and if we can archive this thread.

You can delete the following, if you still have them:

Brute Force Uninstaller
ComboFix
VundoFix
SDFix
regfix.reg file
McAfee removal tool


Here are some measures you can take to stay more secure online:

First, you should flush your System Restore points after ridding yourself of malware: You can clean this by doing the following:

  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Hide system files
It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake. To hide system files and folders, do the following for your operating system...

Windows XP
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading, uncheck Do not show hidden files and folders
* Check the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Keep your anti-virus and firewall updated and run regular scans.

Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.
Run them both on a regular basis, following the manufacturer's recommendations.

Install and keep updated, SpywareBlaster and SpywareGuard

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Again, let me know how things are, and if we can archive this thread.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware